<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:-webkit-standard;
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1107385512;
mso-list-template-ids:-1529169274;}
@list l1
{mso-list-id:1156530501;
mso-list-type:hybrid;
mso-list-template-ids:-1326260276 134807567 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="EN-AU" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">Hi Team!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Firstly, thank you for your replies, I really appreciate it.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Probably worth me outlining how we do this currently.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">I have attached a screenshot of the network topology as seen from the horizon dashboard.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">“Management” node is a VM.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">“HCI-POC-1” is a Bare Metal instance.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Essentially, each tenancy has:<o:p></o:p></span></p>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoListParagraph" style="color:black;margin-left:0cm;mso-list:l1 level1 lfo3">
<span style="font-size:11.0pt;font-family:-webkit-standard">Two neutron routers are setup and attached to the external NORTHBOUND VLAN network, where neutron gets an external public IP.<o:p></o:p></span></li><ol style="margin-top:0cm" start="1" type="a">
<li class="MsoListParagraph" style="color:black;margin-left:0cm;mso-list:l1 level2 lfo3">
<span style="font-size:11.0pt;font-family:-webkit-standard">Routers are IPv4 and IPv6 separation due to BGP limitations in OS currently.<o:p></o:p></span></li></ol>
<li class="MsoListParagraph" style="color:black;margin-left:0cm;mso-list:l1 level1 lfo3">
<span style="font-size:11.0pt;font-family:-webkit-standard">A VXLAN Tenancy network is created and attached to the neutron routers, this is used for VM connectivity.<o:p></o:p></span></li><li class="MsoListParagraph" style="color:black;margin-left:0cm;mso-list:l1 level1 lfo3">
<span style="font-size:11.0pt;font-family:-webkit-standard">A VLAN Bare Metal Network is created with the VLAN ID being the same as the VXLAN ID, this is then attached to the IPv4 Router (we only support IPv4 on BM currently)<o:p></o:p></span></li><ol style="margin-top:0cm" start="1" type="a">
<li class="MsoListParagraph" style="color:black;margin-left:0cm;mso-list:l1 level2 lfo3">
<span style="font-size:11.0pt;font-family:-webkit-standard">This then uses networking-generic-switch to allow ironic to configure the switchports as needed.<o:p></o:p></span></li></ol>
</ol>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">So when a floating IP is assigned to a BM node, it’s attached on the neutron router itself.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Naturally IPTables Security groups don’t work in this setup because at no point does any flow pass a BR-INT or compute node, the traffic transverses the L3 Agent and
it’s neutron router before going directly back out the VLAN BM Network and hitting the relevant node.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">However, could firewalling be achieved by using Open vSwitch Firwall driver?
<a href="https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html">
https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">How are others achieving this, surely people are just leaving BM’s out of the mix when it comes to security groups!
</span><span style="font-size:11.0pt;font-family:"Apple Color Emoji";color:black">😃</span><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Also, I should mention, for those following along with this, we’re offering paid consulting time on this issue for anyone who feels they’re up for it!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:-webkit-standard;color:black">Karl.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Julia Kreger <juliaashleykreger@gmail.com><br>
<b>Date: </b>Friday, 30 June 2023 at 11:15 pm<br>
<b>To: </b>Slawek Kaplonski <skaplons@redhat.com><br>
<b>Cc: </b>openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org>, Karl Kloppenborg <kkloppenborg@rwts.com.au><br>
<b>Subject: </b>Re: [IRONIC] Firewall drivers / implementation<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks for the pointer Slawek!<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">I am wondering if the OP is thinking of security groups, and if so that is through an ML2 plugin mechanism on the switch level configuration, however.... very few ML2 plugins have supported applying security
groups to switches because the translation can be difficult or the switches don't support packet inspection without performance degradation.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">On Fri, Jun 30, 2023 at 12:27 AM Slawek Kaplonski <</span><a href="mailto:skaplons@redhat.com"><span style="font-size:11.0pt">skaplons@redhat.com</span></a><span style="font-size:11.0pt">> wrote:<o:p></o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p style="margin:0cm">Hi,</p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p style="margin:0cm">Dnia czwartek, 29 czerwca 2023 19:08:30 CEST Karl Kloppenborg pisze:</p>
<p style="margin:0cm">> Hi Team,</p>
<p style="margin:0cm">> </p>
<p style="margin:0cm">> We have Ironic deployed and configured to deploy baremetal on vlans attached to the neutron routers of a tenancy/project.</p>
<p style="margin:0cm">> </p>
<p style="margin:0cm">> However, when assigned a floating IP, there’s no firewall and the server is completely exposed.</p>
<p style="margin:0cm">> </p>
<p style="margin:0cm">> I cannot seem to see any information on Ironic Firewall’s, how are others achieving this?</p>
<p style="margin:0cm">> </p>
<p style="margin:0cm">> Any suggestions would be greatly appreciated.</p>
<p style="margin:0cm">> </p>
<p style="margin:0cm">> Thanks,</p>
<p style="margin:0cm">> Karl Kloppenborg.</p>
<p style="margin:0cm">> Openstack-Helm Team.</p>
<p style="margin:0cm">> </p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p style="margin:0cm">For firewall on the Neutron's router level there is neutron-fwaas project [1]. Did You checked that?</p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p style="margin:0cm">[1] <a href="https://docs.openstack.org/neutron/latest/admin/fwaas-v2-scenario.html" target="_blank">
https://docs.openstack.org/neutron/latest/admin/fwaas-v2-scenario.html</a></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p style="margin:0cm">-- </p>
<p style="margin:0cm">Slawek Kaplonski</p>
<p style="margin:0cm">Principal Software Engineer</p>
<p style="margin:0cm">Red Hat</p>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</body>
</html>